Data protection – uncertainty grows

Further developments suggest lawyers will have to get used to uncertainty surrounding the law on EU-US data transfers.

In the field of data protection, lawyers are going to have to become used for the time being to what they hate most: legal uncertainty. As a result of developments over the last few days, the legal status of data being transferred from the EU to the US has become even more uncertain, with no watertight solution in sight.

As the saga has unfolded over the last few months, I have provided updates, from which those new to the topic can bring themselves up to speed on the background.

Essentially, the Schrems case last year threw into doubt the previous ‘Safe Harbour’ regime for EU-US data transfers, as a result of which the EU negotiated the ‘Privacy Shield’. This new arrangement had already been attacked as inadequate by the Article 29 working party made up of national data protection commissioners from all the member states. And over the last few days it has been further attacked.

First, the European Parliament passed a non-legislative resolution. It drew attention to what all the Shield’s critics have highlighted, namely:

the US authorities’ access to data transferred under the Privacy Shield;

the possibility of the US collecting bulk data in some cases, which does not meet the criteria of necessity and proportionality laid down in the EU Charter of Fundamental Rights;

the powers of the proposed US ombudsperson, which the MEPs believe to be neither sufficiently independent, nor adequate to effectively exercise and enforce its duty, and

the complexity of the redress mechanism.

Then, a few days later, the European Data Protection Supervisor, the independent supervisory authority at EU level with responsibility for advising on policies and legislation that affect privacy, highlighted the deficiencies of the Privacy Shield in a published opinion, siding with the Article 29 working party above (of which he is a member).

In particular, he said that the Shield is not robust enough to withstand future legal scrutiny before the Court of Justice of the European Union, and that significant improvements - and a longer term solution in the transatlantic dialogue - are needed.

My heart is with the EU, but my head says that uncertainty is bad for business and the law

The EU is hoping to finalise ‘Privacy Shield’ by early July, but it will be impossible to renegotiate anything substantive by then. In fact, the word is that they are not going to renegotiate. They know that the ‘Shield’ will be challenged, and are prepared to wait for the eventual outcome of any court decision.

As if that is not enough uncertainty for lawyers who need to advise clients and their own firms about what to do about EU-US data transfers, there has been another recent blow, not against the ‘Privacy Shield’ but against a solution which many had felt to be a temporary safeguard while awaiting the outcome of the ‘Shield’ negotiations. This relates to model contractual clauses, which the European Commission itself had promoted as providing adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms.

Source: Thinkstock

Well, that escape route is also under challenge, and all because of actions taken by the primary campaigner in this field, the Austrian privacy activist, Max Schrems, who has been battling against Facebook through the data commissioner for the member state of Facebook’s legal seat in the EU, Ireland.

Max Schrems has just announced that the Irish data protection commissioner has referred these model clauses to the Court of Justice of the European Union for a ruling on whether such a switch of legal basis for data transfers does indeed change the underlying problem of applicable US mass surveillance laws and the lack of legal redress in the US, especially for foreign nationals.

If the court eventually rules against, it will mean one less route open in the lawyers’ range of advice.

The essential struggle is between security (the US’s insistence on its intelligence agencies having access to EU data) and liberty (the EU’s insistence on the right to privacy for its citizens). It is an old struggle, playing out in many political arenas. Neither side seems in the mood to compromise, and so the uncertainty will continue.

My heart is with the EU, but my head says that uncertainty is bad for business and the law. I can see the benefits of waiting for the Court of Justice to rule on these issues, and then using the decisions to reopen the negotiations.

But there will be a cost in the meanwhile. The strongest side will presumably eventually win – but is that the EU in this battle, and when will it happen?

Jonathan Goldsmithis a consultant and former secretary-general at the Council of Bars and Law Societies of Europe, which represents around a million European lawyers through its member bars and law societies. He blogs weekly for the Gazette on European affairs